On my client's website there is a 'find address' button on a contact form where people can fill in their postcode and it will send an AJAX request to a PHP script to return street name, town and county.

This PHP script queries a SOAP web service and my client is charged for each postcode lookup that is performed.

It would be trivial for someone with a basic knowledge of development to hotlink my JavaScript file and start using my client's postcode search functionality free of charge, while costing my client money.

I guess it was point number four that you made that was worrying me the most. I couldn't think of any way of doing that but there's a lot I don't know about JavaScript so thought I would let the community weigh in.

I wanted to know if there was any chance somebody could somehow forge the window.location object on their own site and trick my code into running.

Someone with a slightly more advanced knowledge of development will be able to modify your script so that they can continue to gain access.

Perhaps the worst-case scenario is where they load up your web page, edit the script file contents live within their web browser (Google Chrome can do that) so that the page then runs that modified version of your script.